User profile for user: carefulowner
carefulowner Author
User level: Level 1
92 points

Security: how best to test for port vulnerability

The other day I was playing around with the Network Utility in OSX and decided to try the Port Scan tab. I was surprised when it gave the following as being open TCP ports:-


22 ssh

23 telnet

80 http

139 netbios-ssn

445 microsoft-ds

30005

44401


Now, although I'm very security-conscious I'm no expert when it comes to securing TCP or UDP ports, but a little asking around revealed that these were ok results. Apparently, in addition to the NAT translation, there's a firewall in my router that blocks all unsolicited incoming connections, and this port scan was, in any event, probably an internal test scan, rather than one organised from the Internet.


These comments eased my mind, but one contact has subsequently asked whether OSX really does perform this from the LAN side of the router. An alternative would be for OSX to make a connection with an Internet-based server, requesting that server to perform an external scan of the WAN IP address. If this were the case, then this puts a very different light on the results.


So, does anyone in these forums know how 'Port Scan' in Network Utility performs its test? Can we be 100% certain that it does it in the direction Mac to router, rather than Internet to router?


Clearly, if the majority of these are actually open, as seen from the Internet, then there's huge cause for concern. About the only one I recognise there as being possibly valid is port 80. As for 30005 and 44401, they don't seem to even appear on any official port listings and indeed when I later repeated the scan they disappeared from the result.


I might add that I've got the OSX Firewall set up to block all incoming connections and it's also in stealth mode. Signed software is not automaticaly allowed on incoming connections. I run no other firewall or any antimalware.


I've found nothing on my Mac that explains exactly what happens when OSX performs this scan. Has anyone else ever found a description of any sort?


It's been suggested that I use a website like Shields Up to specifically test from the Internet side and although many years ago I used SU from time to time for testing a Windows machine, these days I'm less willing to use my IP address at any website. Am I being paranoid, or actually sensible? Is OSX Port Scan definitely executed internally?


Sometimes, endeavouring to be totally invulnerable can get you into deep water, so I want to avoid that if at all possible. For example, I highly suspect that if I were to block port 23, I'd probably find I could then no longer run my router's GUI. There's no immediately obvious means of blocking port 23 anyway, and my guess is that blocking some or all of these ports from being open access to my Mac would be possible only via a Terminal modification.

iMac (27-inch, Late 2013), OS X Mavericks (10.9.5)

Posted on Mar 18, 2017 4:51 AM

Reply
10 replies
User profile for user: BobHarris
BobHarris
User level: Level 9
56,939 points

Mar 18, 2017 9:24 AM in response to carefulowner

Network Utility is going from your Mac to the address you specified. If you pointed back at yourself, then that is what you are going to see, and it is most likely not even going to get put onto your local LAN. The network layers will most likely just re-vector the request at the network driver level.


None of these are seen from the internet, because your home router does not have a clue where to send a port request from the internet, unless you have setup router port forwarding, OR you have a device on your LAN that has used Universal Plug and Play on your router to open a port on the internet side to receive a network connection from the outside world.


Since you do not want to use ShieldsUp, then If you want Network Utility -> Port Scan to look at your router from the internet side of things, try getting your Internet address <http://whatismyip.com>, then plug this address into Network Utility -> Port Scan, and select the range of ports you want to scan.


If you do not trust this scan, then after using <http://whatismyip.com>, take that address to a friends house, or take a Mac laptop to a coffee house and do a Network Utility -> Port Scan.


22 ssh - System Preferences -> Sharing -> Remote Access


23 telnet - I have no clue why you have a telnet server running. It is not a normal System Preferences -> Sharing feature. Telnet is not enabled on my system, so you have enabled something. Telnet is an early remote terminal connection method, but an unencrypted channel, included username and password exchange. All traffice over telnet is clear text. ssh is the preferred method of remote terminal connections, as Secure Shell (ssh) is fully encrypted for all its activities.


80 http - you have a web server running


139 netbios-ssn - I know it has to do with Windows networking.


445 microsoft-ds - this is System Preferences -> Sharing -> File Sharing


For these 2 ports, use Google

Google "30005 tcp port"

Google "44401 tcp port"

And see if the explanations provided match up with software you are using

Reply
User profile for user: carefulowner
carefulowner Author
User level: Level 1
92 points

Mar 18, 2017 11:00 AM in response to BobHarris

When I did the port scan it was with my WAN IP address selected, so yes in theory the exercise should have been looking back on myself, as it were, but via my router.


Let's take the relevant ports in turn and your comments on them. First, 22 ssh: In System Preferences > Sharing, I've all aspects of sharing turned off and it's been like that ever since the year dot. REmote Management is also especially turned off in my router as well. So, in theory my Mac's status should be okay in that regard. However, perhaps there's some other reason why port 22 is open? Can't imagine what, though.


23 telnet: I've never specifically or knowingly opened port 23. However, I do know that telnet has to be enabled in order to allow access to my router's GUI, or indeed even just showtime-reported stats, so maybe it's okay for 23 to be open, as long as telnetting is confined to the LAN side of the router and never the WAN side?


80 http: you say that I have a web server running. Well, I don't, at least not as far as I'm aware. Depends also on what you mean by server. Some servers operate within LANs, others work across the Internet, eg. DHCP inside a LAN, DNS servers outside a LAN. Remember, every browser uses port 80.


139 netbios-ssn: this could have become listed as open because I've a Windows machine on the same LAN, albeit that I never use it to access the Web these days.


445 microsoft-ds: again, I don't engage in any file sharing, and all aspects of file sharing in that applet in System Preferences are turned off. I could well believe, however, that this is something to do with the fact that I run Office For Mac on my Mac, as that requires a logical connection for the notification and downloading of Office updates.


What I definitely have managed to determine is that the OSX Firewall, which of curse I've had configured to my requirements from the very outset, operates on the basis of allowing or disallowing connections to applications that run on the Mac. Unlike with other firewalls that are used in quite different OSs, the OSX Firewall doesn't normally deal in port nos. Instead, it just concerns itself with applications. Furthermore, the OSX Firewall is as presented at the inward side of the Mac; the Firewall itself can't determine what goes on in any other part of the LAN or anything outside of that. 'Port Scan' utility cannot either but, unlike the Firewall, can (apparently), with the appropriate WAN IP address plugged in, report to the Mac the status of certain ports, as seen looking into the router from the Internet side. But given that there's NAT and there's also another firewall incorporated into the router, it's highly surprising to find that the particular ports I've listed are all open.


The problem is that Apple doesn't appear to publish anything that explains exactly how Port Scan, as run from OSX, actually works. It seems to me that unless they do, only specialist Mac techies and those with advanced knowledge of network security, will never be able to adequately assess the results.

Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
56,939 points

Mar 18, 2017 1:23 PM in response to carefulowner

If you gave your Router's internet facing IP address, as specified by <https://www.whatismyip.com/>, then there are several possibilities, some of them not very good.


Pointing Network Utility -> Port Scan at the router's Internet facing IP address does not mean you are seeing your Mac's open ports. And it really does explain the Telnet port being open, because Macs have not enabled a Telnet port for years, or many be never did.


So possibilities:


A) Your router has been configured to port forward an internet facing port to a device inside your network (generally this is something that needs to be done by an admin, but a lot of routers use default admin names and default passwords, so some Javascript in a web page could access your router, and configure it to do whatever the offending web page Javascript wanted.


Or you did it, and have forgotten


B) You told your router to put your Mac into the DMZ, which means any unsolicited network connection gets passed to the device placed in the router's DMZ


C) Your router is offering up those ports on its own for remote management. If there are backdoors (and many routers have been guilty of allowing backdoor access from the internet), then your router is not safe.


D) program running on a device inside your network has used Universal Plug and Play to tell the router to open a port (or ports).


E) a family member has been messing with your router, or is the one running software opening ports.


F) I having imaged a 6th option yet, but I'm sure there is one.


It could be any of the above, or a combination of the above.


Google your router. Find out if there are issues with it having open ports. Get the users manual for your router. Login as the admin and examine all the settings. Find out if there is something in the router allowing this.


Point Network Utility -> Port Scan at your Mac, and at the other devices inside your home, this includes smart TVs, smart phones, Apple TV, Chrome Cast, Firestick, Roku, personal computers, tablets, smart lightbulbs, smart thermostates, web cams, etc.... and figure out if they are using any matching port number.


If you are using the ISP provided router, maybe it is time to get your own and take control of your front door. If you own the router, maybe it is time to get a better router, or even if you want totaly control, get a router where you can install DD-WRT open source firmware on your router.

Reply
User profile for user: carefulowner
carefulowner Author
User level: Level 1
92 points

Mar 18, 2017 2:46 PM in response to BobHarris

Most people with a modicum of knowledge of networking don't need to use a facility such as whatismyip, as they know it already, and that's the case here. In setups where static WAN IP addressing is used, the address gets issued by the ISP and so is necessarily used in various parts of the router's configuring.


As far as I can see, none of your 'possibilities' point to anything tangible. For instance, I almost know my router settings backward and I can assure you that port forwarding is definitely not in use. Also, there's no feature within the router's settings for enabling Javascript, or even Telnet for that matter (though I seem to recall seeing enabling/disabling settings for those in earlier versions of the router's firmware).


Neither have I forgotten about any router settings. In fact, I only completely reconfigured the router just three weeks ago, having changed ISP. I keep hardcopy screenshots of all the most important router settings.


I've most certainly not put the router into the DMZ.


Plug n' play has been disabled from the outset, as I don't need it and uPnP's a known security risk anyway.


Remote management within the router has been turned off from the outset, being also a known security risk. All remote management concerned with the Mac itself is also disabled.


No family member has been tampering with my Mac or router, not unless they've perfected the art of being invisible and have travelled several hundred miles to do so. (They wouldn't have the first clue, anyway). I'm the sole person here and therefore the sole user of the machine (infiltration from the Web aside).


As for the router's user manual, do you honestly believe that I've never consulted it?! It's there, on my Desktop. From Day One, I assure you!


As for other devices inside my home, there aren't any that are even remotely associated with my LAN or router. And no, I don't use a wireless connection (if that's the next thing on which you're going to speculate).


The router is not one provided by my ISP, it's one I bought myself. It's a reliable, popular model. I recently flushed and re-flashed its firmware. Been using it for 3 or 4 years.


As I say, I appreciate you playing devil's advocate but the possibilities you've cited just don't apply.


Someone's suggested using Shields Up, but I've been told by others not to bother using that, as its Port Scan facility is well out-of-date and gives fallacious results.

Reply
User profile for user: etresoft
etresoft
User level: Level 9
56,692 points

Mar 18, 2017 4:01 PM in response to carefulowner

Hello carefulowner,

BobHarris is one of the most knowledgeable engineers here on Apple Support Communities. He actually is an engineer in real life. I strongly suggest you reconsider his suggestions.


The only thing I can add is that, as far as the internet is concerned, your router is your IP address. Your Mac is hidden behind it. As long as you have all sharing disabled on the Mac, then the Mac is fine. Go ahead and turn off the firewall as it is useless. Based on what you've said about how you have configured the Mac firewall, you are one of the few people who has managed to configure it to actually do something. Its default settings provide no protection of any kind. The only secure setting is to turn off all sharing. If you must use some sharing services, make sure to use a strong, unique password. Don't waste any time with the firewall.


I'm still not entirely sure which device you scanned. The only IP address that make any different is the one returned by whatismyip or a similar service. Your router is most definitely in the DMZ. That is how it works.

Reply
User profile for user: carefulowner
carefulowner Author
User level: Level 1
92 points

Mar 20, 2017 5:49 AM in response to etresoft

I thought I'd let you know that I've not only sought explanations for this issue on this Apple Communities forum but also in other forums on the Web, and you'd be amazed at the variety of answers I've received over the last 4 or 5 days. Bear in mind that, although OSX's Port Scan feature has been the driving engine in this issue, the security aspect has not centred on OSX's firewall. Instead, the question has been whether the router is presenting open ports to the outside world or not.


But, cutting to the chase, I've now at long last solved the puzzle. Reluctant as I was to use a freebie external scanner on a website somewhere (as some give flawed results), I contacted my ISP about it. This was a long shot but they've now kindly run a comprehensive external scan on my router's fixed WAN IP address and have confirmed that there are no visible open ports.


What they've found from the test is what the router manufacturer also maintained - that even though I'd run a scan on an external IP of the router from a machine inside my LAN, the scan utility was actually giving me the answer for the internal side of the router, which as often as not is that ports are open.


My ISP has added that these ports, or at least those first five, are often and legitimately seen as open on the LAN side of the router but should normally be closed on the WAN (Internet) side. The only typical instance of any of them needing to be open that my ISP could think of offhand was in the case of someone wanting to do port forwarding to a server running those services.


Now, I don't know whether Port Scan is any different in the newer versions of OSX (mine's Mavericks 10.9.5) but I'd now definitely advise not to rely on OSX's Port Scan to test any external IPs, because the results might be completely wrong!


My thanks go to Bob and others who've made helpful suggestions along the way or who've acted as devil's advocate to get some other possibilities considered.

Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
56,939 points

Mar 20, 2017 6:22 AM in response to carefulowner

Most people with a modicum of knowledge of networking don't need to use a facility such as whatismyip, as they know it already, and that's the case here. In setups where static WAN IP addressing is used, the address gets issued by the ISP and so is necessarily used in various parts of the router's configuring.

I do not know what your background, experience nor capabilities are. I just have a slight glimpse from this thread, and what I think I may have learned from that could be a misinterpretation on my part.


Am I interpreting correctly that you pay your ISP for a static IP address?


That is not common, except for businesses, so it is not something I assume, hence my suggestion to use "WhatIsMyIP.com", as most home users have an ISP dynamically assigned IP address (DHCP). Granted the IP address does not generally change often, as long as the router stays up and connected to the ISP. But for most users, when the ISP has a network disruption, or the user looses power, often times a new IP address is assigned to the router, hence the use of WhatIsMyIP.com, or similar service that will tell the user their IP address is today.


So just to be absolutely sure we are both taking about the same thing. The static IP address is not of the form 192.168.x.x, nor 10.x.x.x, nor 172.{16..31}.x.x. Then again, there are a few ISPs that are double NAT'ing their users because the IPv4 address are running out.


I'm just trying to make sure you were port scanning the route's public IP address, and not the Private, inside the house router LAN address.


If you have a laptop you can take to a coffee shop or anyplace else you could run the Port Scan on your router that is most definitely outside your house, that would be helpful, as there would not be any confusion with maybe the router doing loopback shortcuts when it sees the target address is its own public IP address.


If you do not have a laptop, then a friend/family member, at a different location, with a computer you can use. It does not need to be a Mac, as you can always Google to find what utility will perform a port scan on the friend/family member's operating system of choice.


You do NOT need to for a 0-65564 port scan. You can ask it to just scan the specific ports you are interested in verifying are open on the public IP address. Only expand your scan if the results from outside your home do not match what you are seeing from inside.


I am really concerned that port 23 (telnet) is open. That is a very old and insecure protocol. Heck, if your list of ports are open on the Public Internet side of your router, AND you do not have software that is asking the router to open them, and you have not asked the router to open them, then I'm concerned that any of them are open.


I am less concerned if those port are open on the Private LAN side, which is why I'm trying to be very sure you and I are talking about the same things, without actually giving out information that should not be put in a public forum.

The router is not one provided by my ISP, it's one I bought myself. It's a reliable, popular model. I recently flushed and re-flashed its firmware. Been using it for 3 or 4 years.

Backdoors have been found in several popular routers, in some cases across all their products going back years. One very popular router has had a backdoor discovery as recent as this past December, 2016.


Sometimes ISP's give users a combination modem that is ALSO a router. Most users just use that, but some put their own router in front of that. I want to make sure we are not mis-communicating and the router seen from the Public Internet is yours and not a router provided by the ISP that is in front of your router.


Bottom line, if you really are seeing ports

22, 23, 80, 139, 445, 30005 and 44401

open on your Public Internet side of your router, then something is going on that neither you nor I understand.

Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
56,939 points

Mar 20, 2017 6:36 AM in response to carefulowner

Apparently I was in the middle of composing my reply, while you were composing yours. I just took longer to finish 🙂

Now, I don't know whether Port Scan is any different in the newer versions of OSX (mine's Mavericks 10.9.5) but I'd now definitely advise not to rely on OSX's Port Scan to test any external IPs, because the results might be completely wrong!

In this case it is most likely your router's loopback behavior. Other routers actually show the Public Internet side when you port scan the Public IP address. My Apple Airport Extreme shows me the Public Internet side (as I have a few Port Forwarded unique high numbered open ports, and they would only show up on the Public Internet side of my router.


And I confirmed this morning I see those same ports from a Paneras via my laptop.


But you are correct any port scan done from inside looking at a router's Public IP address must be confirmed that the router is not playing fast and loose with loopback, as appears to be the case with your router.


I'm glad you have confirmed that there are no ports open on the Public Internet side of your router.

Reply
User profile for user: carefulowner
carefulowner Author
User level: Level 1
92 points

Mar 20, 2017 7:45 AM in response to BobHarris

"That is not common, except for businesses, so it is not something I assume ....."


Bob, you (and others) have perhaps been a bit too presumptuous when it's come to considering WAN IP addresses. Whilst it may be common in the States and some other parts of the globe for subscribers' router addresses to be assigned dynamically, that's not the case everywhere. Parts of Europe, for example, have a de-regulated comms industry, and big guns compete alongside the smaller ones for market share, where broadband services are concerned. And since many of the smaller ISPs concentrate to a large degree on their business customers and therefore tend to issue static IP addresses to them, the practise is invariably carried over to their residential customers also. So, it's by no means rare for people to have a static IP for the address of their router (or router-modem).


The usual gut reaction to this is that it must therefore make that IP far more vulnerable to the bad guys. Well, longevity has shown that that's not the case; studies have shown that there's little difference between static and dynamic addresses in that regard. I guess that's primarily because it takes only a fraction of a second for an unprotected connection to be infiltrated from the Web. What it does mean, though, is that the customer with such a static address has to be a lot more vigilant about security and to not, for instance, willingly divulge their WAN IP address to all and sundry. This is a good thing, in my view. Someone's Internet IP can, of course, be easily obtained via other data but that's only going to be of interest to hackers who've identified and decided to target a particular individual. But then if that individual's router's external ports have been secured, penetration is never likely to occur, except by invitation. Most sensible users of a static address will have their IPs 'stealthed' anyway, so hackers won't even realise that they exist.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Security: how best to test for port vulnerability

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up